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Abstract. It is a classical result (apparently due to Tate) that all elliptic 
curves with a torsion point of order n (4 < n < 10, or = 12) lie in a one- 
parameter family. However, this fact does not appear to have been used ever 
for computing the torsion of an elliptic curve. We present here a extremely 
down-to-earth algorithm using the existence of such a family. 
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1. Tate and Weierstrass normal forms 

An elliptic curve is a plane smooth affine (respectively projective) curve de- 
fined by a cubic (homogeneous) polynomial. All these curves are known to be 
birrationally equivalent (that is, isomorphic as algebraic varieties, up to a fi- 
nite number of points) to one which equation has the form Y"^ +aiXY +a-iY = 
+ 02 V^ + a^X + ag. When all the coefficients lie in a field K, the set 
of points in the curve with both coordinates in K admits a group structure 
( llCassels 1966 1, [ Cassels 1991 |, [ Husemoller 1987| ) with the inner operation 



defined by the classical chord-tangent procedure. This group is then noted 
E{K). For historical reasons we will note this operation additively and so 

*Partially supported by Junta de Andaluci'a, Ayuda a Grupos FQM 218 



we will write 2P for P + P. As the unit element is usually taken to be the 
only point at infinity (say O), we can restrict ourselves to affine points. 

The Mordell-Weil theorem states that, if i^' is a number field, E{K) is 
always a finitely generated abelian group ( jCassels 1991|| , [[HusemoUer 19871] ). 



The torsion subset of E{K) is hence a finite subgroup, noted Et{K). The 
strongest result concerning -Et(Q) is due to B. Mazur and explicitly states 
all groups which can appear as torsion subgroups of elliptic curves defined 
over Q: 



Theorem (Mazur).- ( jMazur 1977|| , [[Mazur 1978|| ) Let E be an elliptic 



curve defined over Q. Then its torsion group -Et(Q) is either isomorphic to 
Cn (the cyclic subgroup of n elements) for n = 1, 2, 10, 12 or to C2 x 
for n = 1,2, 3, 4. All of these possibilities actually occur. 

The aim of this paper is giving an efficient procedure, different from the 
usual ones, still very lowbrow, for computing the torsion subgroup of an 
elliptic curve defined over the rationals. First of all we must put the curve 
into a more manageable form. 

For a general elliptic curve it is known (see, for instance, [[Cassels 1966 



Cassels 1991|| , fHusemoller 1987| ) that using linear changes of variables, one 



can take the equation defining the elliptic curve into an easier one of the type 
y2 _ _|_ j^j^ _j_ This is known as Weierstrass (short) normal form. 

A straightforward computation proves that the only linear changes of 
variables preserving Weierstrass normal form are those given by 

for some m G Q. Such a change takes the curve defined by = + AX + B 
into the one defined by Y^ = X'^ + {A/u'^)X + {B/u^). This argument shows 
that one can always assume A and i? to be in Z. It also implies that the 
number A^/B"^ is an invariant of the equivalence class of elliptic curves in 
Weierstrass form up to linear changes of variables. 

Of course, even if two curves Y"^ = X^ + AX + B and Y^ = X^ + CX + D 
verify A^/B"^ = C^/D"^ this does not mean they are equal up to some linear 
change of variables of the previous form. In fact, it is fairly elementary 
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proving that this happens if and only if the following condition hold: there 
exists a rational solution u for the system 




} 



with the obvious arrangements for the cases in which any of the coefficients 
vanishes. 



In addition, if the curve is already known to have one rational point of 
order n > 3, one can choose to put the equation of the curve in the form 
Y'^+bXY+cY = X^+dX^, also using nothing but linear changes of variables. 
This second formula is called Tate normal form ( [|Husemoller 1987| ). 

2. The Lutz — Nagell theorem 

Most classical algorithms for computing rational torsion of elliptic curves are 
based on the following result, achieved independently by Lutz and Nagell 
( IINagell 19351 , [|Lutz 1937|| ): 

Theorem (Lutz — Nagell).— Let E be an elliptic curve defined over Q, 
given by a Weierstrass equation Y"^ = X^ + AX + B with A,B G Z, and let 



Clearly (3 = is equivalent to 2P = O and this 2-torsion part is rapidly 
computable. For computing the remaining points (if there are any) we simply 
factorize A = + This quantity, called the discriminant of E, will 

be most important in the sequel. For every square divisor, say of A, we 
compute the integral solutions to X^ + AX + {B — m^). If we actually find 
an integral root, say n, we only have to check whether {n,m) is a torsion 
point, which only involves computing, at most, 12(n, m), following Mazur's 
Theorem. 



P = {a,P) G Et{Q). Then 



(a) Both a and f3 are in Z. 



(b) Either /3 = or (3^\{4:A^ + 275^). 
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Simple as it is, this algorithm is not very efficient, being its major draw- 
back the necessity of factoring A. This is the algorithm presented, for in- 
stance, in I JUohen 1993|| and [ [(Jremona 19914 • 



3. Good reduction: a first bound 

The ffist step in our algorithm will be a reasonable bound for the size of 
Et{Q). The existence of the group structure in an elliptic curve does not de- 
pend on the field we are taking coordinates in. So, for instance, ii A,B ^ Z, 
then for all primes p, the same equation defining an elliptic curve over Q de- 
fines an elliptic curve over the finite field Fp. The relationship between these 
two curves can help us in our purpose, using the next result ( IfJassels 1991 
Husemoller 1987[| ): 



Theorem.— Let E be an elliptic curve in Weierstrass form = + 
AX + B, with A,B & Z. If p > 2 is a prime number such that it does not 
divide A, then the mapping 

ledp-.ETiQ) — ^ E{Fj,) 

(ai,tt2) I — ^ (aT,«2) 
O I — > O 

is an injective group homomorphism (where Oi denotes the residue classes of 
ttj modulo p). 

Primes which do not divide A are called good primes and the induced 
group homomorphisms are called good reductions. So, choosing some prime p 
not dividing A and computing how many points lie in E{Fp) we must obtain 
a multiple of the order of Et{Q,)- Our practical choice has been taking three 
primes (as small as possible), computing the number of points in each case 
and finding the greatest common divisor of all those quantities. In most 
cases, this bound was found to be the actual order of Et{Q)- 

There are, however, some cases which does not fit this scheme. For exam- 
ple, the curve defined by = X^ + X has the property that, -Et(Q) = C2 
but, for every good prime p the order of E(Fp) is divisible by 4. 



4 



Trying then to be a bit more accurate, we computed not only the order of 
E(Fp), but also how many elements of order 2 it had. So, if E(Fp) presented 
more points of order 2 than E itself, our choosing for the bound can be 
smaller than the order of E{Fp). In the above example, as E^ is isomorphic 
to C4 and -^(Fs) is isomorphic to C2 x C2, the bound actually found is the 
order of the group Et{Q)- 

So, if |ii^(Fp)| = M, the number of points of order 2 in ii^ is s and the 
number of points of order 2 in E(Fp) is t, the choosing of the bound goes 
like this: 

(a) If s = t, we choose M. 

(b) If (s, t) E {(0, 1), (1, 3)} then we choose M/2. 

(c) If (s,t) = (0,3) then we can choose M/4 as the bound. 

Note that one needs the fact that E(Fp) is a finite group with, at most, 
three elements of order 2. 



4. Points of given order 

We will explain now how to decide when an elliptic curve defined over the 
rationals has a point of a given order, say n, where n = 4, 10, 12. First we 
need a result on parametrization of torsion structures. Most cases are proved 
(quite straightforwardly) in [[Husemoller 1987[] . Also see |P:<.ubert 1976|| for a 
more exhaustive table, without any proofs. 

Theorem.— Every elliptic curve with a point P of order ri = 4, 9, 10, 12 
can be written in the following Tate normal form 

+ (1 - c)XY -bY = X^ - bX^, 

with the following relations: 

(1) If n = 4, 6 = a, c = 0. 

(2) li n = 5, b = a, c = a. 
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(3) Ifn 


= 6, 6 = 


a + a^, c = a. 


(4) Ifn 


= 7,6 = 


— a^, c = — a. 


(5) Ifn 


= 8, 6 = 


(2a — l)(a — 1), c = 6/a. 


(6) Ifn 


= 9, c = 


a^(a — 1), b = c(a(a — 1) + 1). 


(7) Ifn 


= 10, c = 


= (2a3-3a2 + a)/ [a - (a - 1)^] , b = ca^ j [a - (a - l)^]. 


(8) Ifn 


= 12, c 


= (3a2 - 3a + l)(a - 2a2)/(a - 1)^, b = c(2a - 2a'^ - 



!)/(«- !)• 



Suppose then that we want to check if a given curve E defined by = 
+ AX + B has a point of order n. Assume it posseses such a point: 
therefore E must be isomorphic to one curve lying in the one-parameter 
family. Then we simply compute the Weierstrass normal form of a generic 
curve in the familiy and check the conditions given at the end of section 1 
for two curves in Weirestrass form to be isomorphic. 

Example.— Let us give an example with n = 5. Suppose that we would 
like to know if our curve = X3+12933X-2285226 (this is curve llOAl(C) 
from jCremona 1992|| ) has a point of order 5. If it is the case, the curve must 



be isomorphic, by a linear change of variables, to one lying in the family 

+ (1 - a)XY - aF = - aX^. 

So, taking this general equation to Weierstrass form we obtain an equation 
which we will note Y^ = X^ + A5{a)X + 55(a). Should this curve be 
isomorphic to ours, it must hold 

A5{af _ 129333 
S5(a)2 ~ 22852262' 

which sums up to an equation in the variable a (in our case, of degree 12). 

This equation will be called the final polynomial for n = 5. For every 
root ao we have to check if there is some m G Q verifying 

/ 4 A 6 B \ 

1 A.iaoY B.iao) ' 
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If there is then we have a point of order 5, which is easily calculated, as 
(0, 0) is a point of order 5 in the Tate normal form. If not, then there are no 
points of order 5 in ii^. 

In our example, the only roots were —1/10 and 10. Besides, 

A,{10) = A, B,{10)=B, 

so in fact there is a point of order 5 in our curve. Tracing back the changes 
of variables a point of order 5 turns out to be (123, 1080). 

The only remaining case is n = 3 that is, we need a procedure for deciding 
if an elliptic curve has a point of order 3. There is also a Tate normal form 
for this case, but it has some inconveniences, being the heaviest one that 
the family of curves depends now on two parameters. However, there is a 
well-known property which can be used ( ||Cassels 1966|| ): 

Proposition.— Let E be an elliptic curve given by a Weierstrass equation 
y2 _ _j_ j^j^ _j_ Then E has a point P of order 3 if and only if there is 
an integral solution to the equation 

3X^ + QAX^ + 12BX - = 0. 

In this case, the solution is the first coordinate of P. In fact, in the 
cited article one can find polynomials which characterize points of any order. 
These polynomials become more complicated as the order grows, but they 
also allow to obtain a obvious procedure for deciding if there is any point of 
given order. 



5. The algorithm 

Given an elliptic curve in Weierstrass form Y"^ = + AX + B, in order to 
find its torsion group we proceed as follows: 

Step 1. Compute the number of points with order 2, that is, the rational 
solutions for X^ + AX + B. 

Step 2. Pick the smaller five (for instance) good primes for E and 
compute a bound M for the torsion as explained above. 
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Step 3. If the number of rational solutions is either or 1, then for 
every divisor d of M, apply the procedure described in the previous section 
to check if there is a point of order d. If this is done is decreasing order, the 
first affirmative answer gives us the group (which should be isomorphic to 
Cd) and one generator: either the point which comes from point (0, 0) in Tate 
normal form for n = 4, 10, 12 or the point directly obtained for n = 3. 

Step 4. If the number of rational solutions is 3, then apply the same 
procedure as above for every divisor d of M/2. Now the first affirmative 
answer gives us the group (which must be C2 x Cd) and a set of generators 
(the points of order 2 and the point which comes from point (0, 0) in Tate 
normal form). 



6. Explicit calculations 

In this section, we will show the computations that led us to the implemen- 
tation of our algorithm in Maple, currently available by anonymous ftp at 
ftp://alg7.us.es/pub/Programs/ (comments in Spanish so far...). 

So we fix an elliptic curve E, given by Y'^ = + AX + B with A, B e Z 
and we want to know if there is a point of order n on it. For all cases (except 
n = 3) we know this implies solving an equation on a parameter a which 
comes from the parametrizations of Tate normal form. 

However, one may find that "classical" parametrizations, though the sim- 
plest ones, are not necessarily the most convenient for our purpose. As we 
will need to compute the rational solutions of a polynomial in Z[X], which 
the best parameter is depends heavily on which root finding method is to be 
used. 



Our choice was the algorithm developed in fLoos 1983| , so we had to take 
into account that the complexity of finding the rational roots a polynomial 
in Z[X], say f{X) = J2o.iX\ of degree n, is 0(log^ ll/ll), where 

\\f\\=J:w^l 

so one may choose a parameter which minimizes ||/|| when / is the final 
polynomial. Such a parameter will be called a minimal parameter. 
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Case n — A. We will do this in detail. The general equation was 

Y^ + XY -aY = X^- aX^, 

provided 6 7^ 0, —1/16. 

Once it is taken to Weierstrass normal form, it sums up to 

Y^ = X^ + A4{a)X + B^ia), 

where 

^4(0;) = -432a2 - 432a - 27, B^ia) = -3456a^ + 6480^^ + 1296a + 54. 

So the final polynomial for a, B{aYA^ - A{aYB^ results 

P^ia) = 21236^^6 _ 21237 (5^3 _ 27^2) ^5 

+2^3^ (59^3 + 45952) + 2^3^11Aa^ 
+243^17Aa2 + 243^Aa + 3^ A 

Our next step is then to find a minimal parameter (that is, a parameter 
minimizing the norm of its final polynomial). So we find a new parameter 
f3 = ra + s. Obviously we need our new final polynomial, F4^{f3) to lie in Z[X] 
so it is plain that the natural choosing for r must be 1/12. Then we look 
for a rational s which minimizes 1 1 -^4 1 1 . As F4 was to lie in Z [X] the possible 
denominators were bounded (actually they had to be a divisor of 12). We 
find a minimum for s 1/12 so we took a = {(3 + 1)/12 and 

F4{(3) = A/56-6 (34^3 - 135fi2) /35 + 3 (851^3 + 2646^2) 
+4 (313^3 + 5940^2) (3^-6 {95A^ + 26465^) 
-24 {A^ - 135^2) p + 49/13 - 2165^. 

If we set N = max{|Ap, then 

IIF4II < 566677V ~ 2^3^52 AT. 

We present below all the minimal parameters along with bounds for the 
seminorm of the final polynomials, calculated as above. 
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Case n = 5. (3 = a, deg(F5) = 12, WF^W < 898312A^ ~ 

Case n = 6. a = /5/3-1/3, deg(F6) = 12, \ \Fe\ \ < 2220071A^ ~ 2^3'^5^N. 

Case n = 7. p = a, degiFj) = 18, IIF7II < 110725743A^ ~ 2'^^3^N. 

Case n = 8. a = p+1, deg{Fs) = 24, WFsW < 46702469380A^ ~ 2^3^58 A^. 

Case n = 9. p = a, deg^Fg) = 36, HFgH < 11353024920A^ ~ 2^^3^5^N. 

Cases n = 10 and n = 12 can of course be worked out in the same way 
but the polynomials get quite unpractical. As 

[ Cio ^ C2,C,cEt{Q) 

Et{Q) = 

[ Ci2 ^ CCeCETiQ) 

there is no necessity of finding the actual polynomials Fiq and F12. In these 
cases, the generator can be easily computed using the duplication formula. 

The leading coefficient of all final polynomials turns out to be A. Indeed, 
one can look for a parameter such that the leading coefficient and the inde- 
pendent term of its final polynomials are A. So, if the factorization of A is 
known, this final polynomials can speed up the process, as all the possible 
rational roots of the final polynomials are known in advance. 



7. Complexity and some examples 

As in the previous section, let 

A^ = max{|A|M5|2}. 

We will show that the running time of our algorithm is 0{K log^ N) for 



some K ^'N. Unless otherwise stated, ||Cohen 1993|| is the reference here for 
the details. 

The computation of the points of order two can be clearly accomplished 
in the expected time, using, for instance, the algorithm given in [[Loos 1983|| . 
Note that, should this be the case, it can also be used for checking the 
existence of points with order three, with the desired complexity. 
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The bounding of the torsion consists only on arithmetical operations on 
affine planes Fp, with p not dividing A. It is clear that there are primes 
smaller than N which not divide A. Of course, it is known that arithmetical 
operations with data bounded by A can be carried out in C(log^ N) time. 

So it only remains checking step 3 (step 4 is analogous) for the cases 
n — A, ...,10,12. But note that all the coefficients of our minimal polynomials 
are bounded by cN, for some natural c. This means that, for a rational root, 
written in irreducible form ckq — Po/lo, we have 

|/3o| , |7o| < cN. 

Therefore, if we want to find out if there exists some -u G Q such that 
= A/An{ao) we only have to put A/yl„(«o) in irreducible form (that 
amounts to find the gcd and divide) and compute the square root of its 
numerator and denominator twice. All these operations can be carried out 
in the expected time. If such an u exists, it is just a matter of arithmetical 
checking seeing ii — B / Bn{ao) . 

Some time results of our algorithm are given in the following examples 
table, using our MapleV routine. 

Ei: Y^ = - 98D6EA9CA5C901B ■ X + B5D1E097F653622F55B036 

E^: Y^ = X' {A2/A'^)X + {B^/B'^) 
E^: Y^ = X^- {A^/1&)X - (^3/32) 

where 

A2 = 83ACFBAEC1BB1AC8EA33B897FDE9672AB898D04622635/ 

198248803F6F6429EC185BB2AB6D5DAE2C41BA0EC07AD5/ 

46CFF23FA458FCB36D8E85877CF0 
A'^ = 4E07B196F78B523E2BF8B93D9FF09BFF22E07284643617/ 

AD603BDEBE49E967484527B634E2990C1E19261C903/ 

AAC97D0F23EE86534D501 1DF9A71 
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B2 = 1594F960645253D0B7F933BFD50446DC3FC067CAFEDB11/ 
E76E7EBBDA0FCB2EF4AC34672D4B6469AD156134B7DEA/ 
2FC9C7EFA07084E7695B18DBE22D436EEE2BB5EA14C26/ 
D67AB385078CB862970A2B56D62C837D4E00A097490 

B'^ = AC51A232098DD799F2D035E3B630C2EE79B9C00C70B9013/ 
071A6A0011C7A689A577D55A9BCCDA3FDCCE2FB25958A/ 
D9D1F26D9D0D118651B0B5548FF001466E8D0BF7946D23F/ 
9319CE52A96C7C9B2D0E37DEC87027D90109 

A3 = AF06EC915A7BC47C45CFBFA797633ACE67A79F7B381D29/ 
BCCA243AABA230AF5BAD1058D41582134BECEF3F8DBB 

B3 = 1BDA1A8FE9A5108EA7DB7FB6AE8EB3F7AB45A8D22614B/ 
93FDB39D03E0B8324128145C706768EF5EE5BE37E68F4C 
B5BC9EE31CC5B7EDA2C668D5CF0EFE9AA31F0B460EEB 



Curve 


Group 


Generator 


Time 


El 


C4 


(1C8CFC03, 100F4DC00) 


2.33s 


E2 




(Ai/A^,VAi) 


10.66s 


E3 


C2 X C4 


(A4, A5) 


3.85s 



where 

Ai = -1A8019538D071D5BFD9EEBA7B19BE9124EB6E592F0D15/ 

B0DD77D8016A58C 
A2 = -1626E05A34E5EA7E90A84BF3C4D604949BAA0DA532CDE1/ 

147804F9E6491E9E49F16F356882A85DA4C9785AC75C 
A3 = 17C6E3C032F89045AD746684045E05 

A4 = -7A36225A2ADAAFA9B059FF46EE903619BD0C4E2AD3AA1/4 
As = -897CE6A57036059EE6653F2FCC623CDCF4ADD7F02E202A/8 

The computations have been performed in a KMD300 computer. Note 
that our current implementation does not include so far the root finding 
algorithm of jLoos 1983|| but Maple V 5.1 built-in routine, so it is hoped 



that a complete implementation of our algorithm will obtain even better 
results. 
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We have compared our algorithm with, probably, the two most efficient 
current ones: Pari/GP built-in procedure, elltors (see ||Batut et al. 2000"[ ) 
and the routine Tor from the Maple package APECS (see [ [(Jonnell 1999|| ). 



Pari/GP elltors follows the algorithm described in [poud 1998|| , using 



the analytic parametrization of the curve. It is extremely fast and, besides, 
the periods of the lattice associated to the curve are directly computed by 
Pari/GP when you enter the curve with the routine ellinit. However, in 
some cases (we can not figure out when or why), elltors needs such a pre- 
cision that it may become unpractical. It remains, however, as our favourite 
choosing for medium-size coefficients. Here are the time results, expressed as 
(time for ellinit) + (time for elltors), for the previous examples, together 
with the precision (by 100) required. 



Curve 


Precision 


Time 


El 


> 3600 


?? 


E2 


1300 


1.05s + 11.92s 


E3 


200 


0.06s + 0.08s 



For E3 elltors gave an incorrect result: it output C4 for the structure. 
Hence there appears to be some minor bug in the implementation. In all our 
computations, no errors were found in elltors when working with cyclic 
groups. 

APECS Tor uses the polynomials mentioned at the end of section 4. 
When you introduce a curve, which you must do before computing its tor- 
sion, it computes a great deal of data, in particular a bound for the torsion 
subgroup and other relevant quantities. If data are moderately large (even 
significantly smaller than the examples) this takes a huge lot of time: we 
mean hours for the examples above. Anyway, its library is really huge, so, 
for small-size coefficients, APECS will surely have a lot of information (of 
course everything concerning rational torsion points) only to look up to. 
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